Firewall (iptables) rule to limit Apache connections

[Benjamin Scott]

On Wed, May 19, 2010 at 9:26 AM, Kevin D. Clark
<kevin_d_clark at comcast.net> wrote:
> Have you given any consideration to the fact that in HTTP 1.1 there
> are persistent connections and that the level of control offered to
> you by iptables might be too low-level for you to effectively manage
> the traffic that your system is dealing with?

  Hmmm.  His reported complaint was that some clients are opening a
high number of simultaneous TCP connections, thus eating up all the
Apache worker processes.  If the clients were well-behaved and just
used HTTP keep alives, it wouldn't exhaust the Apache worker pool.  So
if these rude clients are well and truly the only problem, simply
limiting the number of TCP connections from a single IP address would
address that.

  Some advantages to using iptables include: Likely uses less
resources than letting things hit Apache; possibly a more lightweight
implementation; works with any web server.  Disadvantages include:
Won't work on non-Linux hosts; some hosting providers will let you
tweak Apache but not the firewall; less fine-grained control (as Kevin
notes).

  All that said, I'm not advocating any particular approach.  I'm not
familar with Apache's mechanisms for this in the first place, but I
have dabbled in other kinds of network traffic control before, and
I've learned it can be surprisingly tricky.  Often a given technique
will have unanticipated side-effects.  Without knowing more I can't
say what approach is best.

-- Ben